Systems and methods for exporting, publishing, browsing and installing on-demand applications in a multi-tenant database environment

ABSTRACT

In accordance with embodiments, there are provided mechanisms and methods for creating, exporting, viewing and testing, and importing custom applications in a multitenant database environment. These mechanisms and methods can enable embodiments to provide a vehicle for sharing applications across organizational boundaries. The ability to share applications across organizational boundaries can enable tenants in a multi-tenant database system, for example, to easily and efficiently import and export, and thus share, applications with other tenants in the multi-tenant environment.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. application Ser. No.17/655,657 filed Mar. 21, 2022, which is a continuation of U.S.application Ser. No. 16/689,960 filed Nov. 20, 2019 (now U.S. Pat. No.11,314,494 issued Apr. 26, 2022), which is a continuation of U.S.application Ser. No. 15/453,539 filed Mar. 8, 2017 (now U.S. Pat. No.10,521,211 issued Dec. 31, 2019), which is a continuation of U.S.application Ser. No. 15/194,418 filed Jun. 27, 2016 (now U.S. Pat. No.10,235,148 issued Mar. 19, 2019), which is continuation of U.S.application Ser. No. 14/160,537 filed Jan. 21, 2014 (now U.S. Pat. No.9,378,227 issued Jun. 28, 2016), which is a continuation of U.S.application Ser. No. 13/088,491 filed Apr. 18, 2011 (now U.S. Pat. No.8,635,232 issued Jan. 21, 2014), which is a continuation of U.S.application Ser. No. 11/530,394 filed Sep. 8, 2006 (now U.S. Pat. No.7,949,684 issued May 24, 2011), which claims the benefit of U.S.Provisional Application No. 60/715,749 filed Sep. 9, 2005, which arehereby incorporated by reference.

FIELD OF THE INVENTION

The present invention relates generally to databases, and moreparticularly to systems and methods for creating and exchangingcustomized applications in a multi-tenant 15 and/or multi-applicationdatabase system.

BACKGROUND

Not too long after inventing numbers and a writing system, early humansrealized that they had inadvertently created information. With thecreation of information came a problem that would vex humankind for thenext several millennia: how to store and manage the information.

Fortunately, the amount of information created by early humans wasrelatively small and could be tracked using ten fingers and ten toes.Stone or clay tablets were employed to track information when a morepermanent record was desired. One early well known example of thismechanism was used by Moses, who stored a body often 25 Commandments ontwo such stone tablets. These mechanisms were limited, however, towrite-once, read-many implementations and were tightly constrained incapacity.

With the advent of the Gutenberg printing press, came the ability tostore larger quantities of information as well as to produce copies ofstored information in volume. While, these mechanisms also were limitedto write-once, read-many implementations, they facilitated thewidespread dissemination of knowledge, which in tum accelerated theadvance of technical progress. A few centuries later, the computer anddatabase software systems appeared. The computer database provided largecapacity, write-read storage in a readily available package. For awhile,it appeared that humankind's age old information storage and managementproblem had finally been solved.

Computer databases, however, are plagued by numerous problems. Eachorganization, business or agency, installs its own copy of the database.It was not long, however, before users wished to add their own customobjects and applications to their database in addition to the standardobjects and standard applications already provided. The desire forcustomization lead to disparate schema, an organization of the types ofinformation 10 being stored in the database, as well as applicationsrelying upon that schema being implemented by different users. Disparateschema, in tum blocked any hope of users in different organizations ofsharing information or applications among one another.

BRIEF SUMMARY

In accordance with embodiments, there are provided mechanisms andmethods for creating, exporting, viewing and testing, and importingcustom applications in a multi-tenant database environment. Thesemechanisms and methods can enable embodiments to provide a vehicle forsharing applications across organizational boundaries. The ability toshare applications across organizational boundaries can enable tenantsin a multi-tenant database 20 system, for example, to easily andefficiently import and export, and thus share, applications with othertenants in the multi-tenant environment. As used herein, the termmulti-tenant database system refers to database system implementing amulti-tenant architecture that enables customer organizations (i.e.,tenants) to share applications and data, and database resources, in onelogical database. In multi-tenant database environments, even thedatabase 25 tables themselves can be shared across the tenants. Forexample, each entity in the data model could contain an organization_idcolumn that distinguishes rows for each tenant. Queries and datamanipulation in the context of a tenant filter on this (indexed)organization_id column to ensure proper security and the appearance ofvirtual private databases. This strategy enables multi-tenant databaseembodiments to be able to expose standard entities such as Account,Contact, Lead, and Opportunity entities to customers.

In embodiments, using the same physical storage mechanism and schema forthe exported container organization as for all other organizations inthe multi-tenant database system provides the capability to assure thatthe container organization can be seamlessly upgraded going forward.

In embodiments, a package that defines an application is created tofacilitate exporting the application. The package may contain metadataand other materials that define 5 the application. When the package isimported into a recipient organization, the package is kept logicallyseparate for the lifetime of the organization. Thus embodiments preservethe uniqueness of the imported package, enabling a user at the recipientorganization to be able to navigate to the package as a separate item.Embodiments provide the capability to disable changes to the importedobjects in the package as well as to uninstall the package in thefuture.

According to one aspect and by way of example, the ability to define andexchange application functionality with other organizations in amulti-tenant database is provided by creating a package, includingmetadata, that defines an application at a creating organization andproviding the package to another organization. Optionally, the creatingorganization may provide access to the application by publishingmetadata from the package in a directory of applications, or may providea link to the package, such as for example a URL, to anotherorganization. Interested organizations with access to the applicationpackage may view and test such a published package, as well as importand install the package.

According to another aspect, a directory of applications is provided.The directory is an online catalog of user-developed applications. Thedirectory includes publicly available applications and privateapplications that may not be accessed without knowledge of the correctlink to the package. Visitors accessing the public directory are able tolearn about available applications, view descriptions of applicationsdeveloped by application builders, and gain access to the import(installation) URLs. Application developers visit the directory site tosubmit and maintain descriptions of applications they have created,whether public or private. To ensure quality, application entries may bereviewed by internal directory management personnel before being addedto the public directory. In one aspect, community feedback in the formof user-submitted ratings, comments, and number of installations areincluded in the directory and provide a potential recipient a way togauge the reputation and value of each application. Visitors may browsefor applications by business solution category, or sorted by highestrating, developer name, most popular, and other ordering mechanisms.

According to another aspect of the present invention, a method isprovided for sharing an application in a multi-tenant databaseenvironment including a multi-tenant database that stores data andobjects for a plurality of organizations. The method typically includescreating a package metadata object that references a set of one or moremetadata objects associated with a first organization, storing thepackage metadata object in a database system, and allowing access to thepackage metadata object to a user in a second organization. In certainaspects, a method is provided that typically includes creating a packagecomprising an object and a set of one or more objects that are dependentupon said object, wherein the object and dependent objects areassociated with a first organization, storing the package in a databasesystem, and allowing access to the package to a user in a secondorganization. In certain aspects, the methods include validating thepackage metadata object or the package.

Reference to the remaining portions of the specification, including thedrawings and claims, will realize other features and advantages of thepresent invention. Further features and advantages of the presentinvention, as well as the structure and operation of various embodimentsof the present invention, are described in detail below with respect tothe accompanying drawings. In the drawings, like reference numbersindicate identical or functionally similar elements.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an environment wherein a multi-tenant database systemmight be used.

FIG. 2 illustrates elements of FIG. 1 and various interconnectionsbetween the elements.

FIG. 3 shows a data model for a Directory of applications in anembodiment.

FIG. 4 shows a definition of a DirectoryEntry object and other objectsin an embodiment.

FIG. 5 shows a solutions category hierarchy in an embodiment.

FIG. 6 shows an example of a GUI screen that allows a user to create apackage in 30 an

FIG. 7 shows an example of a GUI screenshot showing information,including included items, for a created package in an embodiment.

FIG. 8 shows an example of a Project data model definition and a ProjectMember data model definition in an embodiment.

DETAILED DESCRIPTION

In embodiments, the present invention provides systems and methods forcreating and exchanging customized applications in a multi-tenantdatabase system.

Customers may wish to add their own custom objects and applications totheir database system in addition to the standard objects and standardapplications already provided. In a traditional client/serverapplication, where the customer has its own physical database, addingcustom objects is typically done via DDL (data definition language)against that database to create new physical schema—tables and columns.In an online multi-tenant database system, this approach may beuntenable for various reasons. For example, for a database system with alarge population of tenants (e.g., on the order of 1,000 or 10,000 ormore tenants), the union of all desired schema would overwhelm theunderlying data dictionary catalog (e.g., Oracle dictionary).Additionally, the maintenance of all of these schema objects would be anearly impossible burden for DBAs (database administrators). Further,current relational databases do not support online DDL (in a highlyconcurrent transactional system) well enough for organizations to remainlogically independent. Specifically, the creation of schema by oneorganization could lock an application for all other customers causingunacceptable delays.

Many application platforms have the concept of different applicationsthat one can install. Windows, for example, has applications that can beinstalled as does Linux and other operating systems. Several websitesallow one to browse and select applications for download andinstallation. For example, CNET has the download.com site that allowsone to download PC based applications. Other enterprise softwaretoolkits have the ability to specify a package of metadata and export itfrom one environment and import it into another. For example, Peoplesofthas the ability to do this using either importing/exporting over an odbcconnection or via a flat file. With flat file and odbc based approaches,there exists the risk of not being able to import packages that weredefined or exported using a previous version. Microsoft has an officedirectory that allows one to download useful spreadsheet or worddocument templates from their central web site. However, these systemsdo not allow users to easily and efficiently import and exportapplications in a multi-tenant environment. These systems also do notpreserve the uniqueness of an imported application; one cannot navigateto it as a separate item. Other systems also do not allow one to disablechanges to the imported objects in the imported application anduninstall the application in the future.

FIG. 1 illustrates an environment wherein a multi-tenant database systemmight be used. As illustrated in FIG. 1 any user systems 12 mightinteract via a network 14 with a multi-tenant database system (MTS) 16.The users of those user systems 12 might be users in differingcapacities and the capacity of a particular user system 12 might beentirely determined by permissions (permission levels) for the currentuser. For example, where a salesperson is using a particular user system12 to interact with MTS 16, that user system has the capacities allottedto that salesperson. However, while an administrator is using that usersystem to interact with MTS 16, that user system has the capacitiesallotted to that administrator. Thus, different users will havedifferent capabilities with regard to accessing and modifyingapplication and database information, including tab and tab setdefinition and profile information, depending on a user's permissionlevel.

Network 14 can be a LAN (local area network), WAN (wide area network),wireless network, point-to-point network, star network, token ringnetwork, hub network, or other configuration. As the most common type ofnetwork in current use is a TCPIIP (Transfer Control Protocol andInternet Protocol) network such as the global internetwork of networksoften referred to as the “Internet” with a capital “I,” that will beused in many of the examples herein. However, it should be understoodthat the networks that the present invention might use are not solimited, although TCP/IP is the currently preferred protocol.

User systems 12 might communicate with MTS 16 using TCPIIP and, at ahigher network level, use other common Internet protocols tocommunicate, such as HTTP, FTP, AFS, WAP, etc. As an example, where HTTPis used, user system 12 might include an HTTP client commonly referredto as a “browser” for sending and receiving HTTP messages from an HTTPserver at MTS 16. Such HTTP server might be implemented as the solenetwork interface between MTS 16 and network 14, but other techniquesmight be used as well or instead. In some implementations, the interfacebetween MTS 16 and network 14 includes load sharing functionality, suchas round-robin HTTP request distributors to balance loads and distributeincoming HTTP requests evenly over a plurality of servers. Each of theplurality of servers has access to the MTS's data, at least as for theusers that are accessing that server.

In one aspect, the system shown in FIG. 1 implements a web-basedcustomer relationship management (CRM) system. For example, in oneaspect, MTS 16 can include application servers configured to implementand execute CRM software applications as well as provide related data,code, forms, web pages and other information to and from user systems 12and to store to, and retrieve from, a database system related data,objects and web page content. With a multi-tenant system, tenant data ispreferably arranged so that data of one tenant is kept logicallyseparate from that of other tenants so that one tenant does not haveaccess to another's data, unless such data is expressly shared. Inaspects, system 16 implements applications other than, or in additionto, a CRM application. For example, system 16 may provide tenant accessto multiple hosted (standard and custom) applications, including a CRMapplication.

One arrangement for elements of MTS 16 is shown in FIG. 1 , including anetwork interface 20, storage 22 for tenant data, storage 24 for systemdata accessible to MTS 16 and possibly multiple tenants, program code 26for implementing various functions of MTS 16, and a process space 28 forexecuting MTS system processes and tenant-specific processes, such asrunning applications as part of an application hosting service.

Several elements in the system shown in FIG. 1 include conventional,well-known elements that need not be explained in detail here. Forexample, each user system 12 could include a desktop personal computer,workstation, laptop, PDA, cell phone, or any WAP-enabled device or anyother computing device capable of interfacing directly or indirectly tothe Internet or other network connection. User system 12 typically runsan HTTP client, e.g., a browsing program, such as Microsoft's InternetExplorer browser, Netscape's Navigator browser, Opera's browser, or aWAP-enabled browser in the case of a cell phone, PDA or other wirelessdevice, or the like, allowing a user (e.g., subscriber of themulti-tenant database system) of user system 12 to access, process andview information, pages and applications available to it from MTS 16over network 14. Each user system 12 also typically includes one or moreuser interface devices, such as a keyboard, a mouse, touch screen, penor the like, for interacting with a graphical user interface (GUI)provided by the browser on a display (e.g., monitor screen, LCD display,etc.) in conjunction with pages, forms, applications and otherinformation provided by MTS 16 or other systems or servers. For example,the user interface device can be used to select tabs and tab sets,create and modify applications, and otherwise allow a user to interactwith the various GUI pages, for example, as described in U.S.application Ser. No. 11/075,546, entitled “Systems and Methods forImplementing Multi-Application Tabs and Tab Sets,” filed Mar. 8, 2005(now U.S. Pat. No. 7,774,366 issued Aug. 10, 2010, hereinafter, “U.S.Pat. No. 7,774,366”), which is incorporated by reference in its entiretyherein.

As discussed above, the present invention is suitable for use with theInternet, which refers to a specific global internetwork of networks.However, it should be understood that other networks can be used insteadof the Internet, such as an intranet, an extranet, a virtual privatenetwork (VPN), a non-TCP/IP based network, any LAN or WAN or the like.

According to one embodiment, each user system 12 and all of itscomponents are operator configurable using applications, such as abrowser, including computer code run using a central processing unitsuch as an Intel Pentium processor or the like. Similarly, MTS (andadditional instances of MTS's, where more than one is present) and allof their components might be operator configurable using application(s)including computer code run using a central processing unit such as anIntel® Pentium processor or the like, or multiple processor units.Computer code for operating and configuring MTS 16 to intercommunicateand to process web pages, applications and other data and media contentas described herein is preferably downloaded and stored on a hard disk,but the entire program code, or portions thereof, may also be stored inany other volatile or non-volatile memory medium or device as is wellknown, such as a ROM or RAM, or provided on any other informationstorage media capable of storing program code, such as a compact disk(CD) medium, digital versatile disk (DVD) medium, a floppy disk, and thelike. Additionally, the entire program code, or portions thereof, may betransmitted and downloaded from a software source, e.g., over theInternet, or from another server, as is well known, or transmitted overany other conventional network connection as is well known (e.g.,extranet, VPN, LAN, etc.) using any communication medium and protocols(e.g., TCP/IP, HTTP, HTTPS, Ethernet, etc.) as are well known. It willalso be appreciated that computer code for implementing aspects of thepresent invention can be implemented in any programming language thatcan be executed on a server or server system such as, for example, in C,C++, HTML, any other markup language, Java™, JavaScript, any otherscripting language such as VBScript, and many other programminglanguages as are well known. (Java™ is a trademark of Sun Microsystems,Inc.)

According to one embodiment, each MTS 16 is configured to provide webpages, forms, applications, data and media content to user systems 12 tosupport the access by user systems 12 as tenants of MTS 16. As such, MTS16 provides security mechanisms to keep each tenant's data separateunless the data is shared. If more than one MTS is used, they may belocated in close proximity to one another (e.g., in a server farmlocated in a single building or campus), or they may be distributed atlocations remote from one another (e.g., one or more servers located incity A and one or more servers located in city B). As used herein, eachMTS could include one or more logically and/or physically connectedservers distributed locally or across one or more geographic locations.Additionally, the term “server” is meant to include a computer system,including processing hardware and process space(s), and an associatedstorage system and database application (e.g., OODBMS or RDBMS) as iswell known in the art. It should also be understood that “server system”and “server” are often used interchangeably herein. Similarly, thedatabases described herein can be implemented as single databases, adistributed database, a collection of distributed databases, a databasewith redundant online or offline backups or other redundancies, etc.,and might include a distributed database or storage network andassociated processing intelligence.

FIG. 2 illustrates elements of MTS 16 and various interconnectionsbetween these elements in an embodiment. In this example, the networkinterface is implemented as one or more HTTP application servers 100.Also shown is system process space 102 including individual tenantprocess spaces 104, a system database 106, tenant database(s) 108 and atenant management process space 110. Tenant database 108 might bedivided into individual tenant storage areas 112, which can be either aphysical arrangement or a logical arrangement. Within each tenantstorage area 112, user storage 114 might similarly be allocated for eachuser.

It should also be understood that each application server 100 may becommunicably coupled to database systems, e.g., system database 106 andtenant database(s) 108, via a different network connection. For example,one server 1001 might be coupled via the Internet 14, another server 100_(N-1) might be coupled via a direct network link, and another server100 _(N) might be coupled by yet a different network connection.Transfer Control Protocol and Internet Protocol (TCPIIP) are preferredprotocols for communicating between servers 100 and the database system,however, it will be apparent to one skilled in the art that othertransport protocols may be used to optimize the system depending on thenetwork interconnect used.

In aspects, each application server 100 is configured to handle requestsfor any user/organization. Because it is desirable to be able to add andremove application servers from the server pool at any time for anyreason, there is preferably no server affinity for a user and/ororganization to a specific application server 100. In one embodiment,therefore, an interface system (not shown) implementing a load balancingfunction (e.g., an F5 Big-IP load balancer) is communicably coupledbetween the servers 100 and the user systems 12 to distribute requeststo the servers 100. In one aspect, the load balancer uses a leastconnections algorithm to route user requests to the servers 100. Otherexamples of load balancing algorithms, such as round robin and observedresponse time, also can be used. For example, in certain aspects, threeconsecutive requests from the same user could hit three differentservers, and three requests from different users could hit the sameserver. In this manner, MTS 16 is multi-tenant, wherein MTS 16 handlesstorage of, and access to, different objects, data and applicationsacross disparate users and organizations.

As an example of storage, one tenant might be a company that employs asales force where each salesperson uses MTS 16 to manage their salesprocess. Thus, a user might maintain contact data, leads data, customerfollow-up data, performance data, goals and progress data, etc., allapplicable to that user's personal sales process (e.g., in tenantdatabase 108). In the preferred MTS arrangement, since all of this dataand the applications to access, view, modify, report, transmit,calculate, etc., can be maintained and accessed by a user system havingnothing more than network access, the user can manage his or her salesefforts and cycles from any of many different user systems. For example,if a salesperson is visiting a customer and the customer has Internetaccess in their lobby, the salesperson can obtain critical updates as tothat customer while waiting for the customer to arrive in the lobby.

While each user's data might be separate from other users' dataregardless of the employers of each user, some data might beorganization-wide data shared or accessible by a plurality of users orall of the users for a given organization that is a tenant. Thus, theremight be some data structures managed by MTS 16 that are allocated atthe tenant level while other data structures might be managed at theuser level. Because an MTS might support multiple tenants includingpossible competitors, the MTS should have security protocols that keepdata, applications and application use separate. Also, because manytenants will opt for access to an MTS rather than maintain their ownsystem, redundancy, up-time and backup are additional critical functionsand need to be implemented in the MTS.

In addition to user-specific data and tenant-specific data, MTS 16 mightalso maintain system level data usable by multiple tenants or otherdata. Such system level data might include industry reports, news,postings, and the like that are sharable among tenants.

In certain aspects, client systems 12 communicate with applicationservers 100 to request and update system-level and tenant-level datafrom MTS 16 that may require one or more queries to database system 106and/or database system 108. For example, in one aspect MTS 16 (e.g., anapplication server 100 in MTS 16) generates automatically a SQL queryincluding one or more SQL statements designed to access the desiredinformation.

Each database can generally be viewed as a collection of objects, suchas a set of logical tables, containing data placed into predefinedcategories. A “table” is one representation of a data object, and isused herein to simplify the conceptual description of objects and customobjects according to the present invention. It should be understood that“table” and “object” may be used interchangeably herein. Each tablegenerally contains one or more data categories logically arranged, e.g.,as columns or fields in a viewable schema. Each row or record of a tablecontains an instance of data for each category defined by the fields.For example, a CRM database may include a table that describes acustomer with fields for basic contact information such as name,address, phone number, fax number, etc. Another table might describe apurchase order, including fields for information such as customer,product, sale price, date, etc. In some multi-tenant database systems,standard entity tables might be provided for use by all tenants. For CRMdatabase applications, such standard entities might include tables forAccount, Contact, Lead and Opportunity data, each containing pre-definedfields.

According to one aspect, a user can design their own custom applicationsincluding custom objects, custom tabs, custom fields, and custom pagelayouts. U.S. application Ser. No. 10/817,161, entitled “Custom Entitiesand Fields in a Multi-Tenant Database System” filed Apr. 2, 2004 (nowU.S. Pat. No. 7,779,039 issued Aug. 17, 2010), which is hereinincorporated by reference in its entirety, discloses systems and methodsfor creating and customizing objects such as entities and fields. Thesystems and methods presented therein offer a flexible approach tostoring variable schema data in a fixed physical schema. Tabs and tabsets can also be created and customized to define relationships betweencustom objects and fields, standard objects and fields, and applicationsand to track related data. U.S. Pat. No. 7,774,366 discloses systems andmethods for creating and customizing tabs and tab sets in a multi-tenantenvironment. A brief summary of tabs and tab set creation andfunctionality as described therein follows.

Custom Tabs and Tab Sets

In embodiments, a tab represents a user interface into an element of anapplication or into a database object. Selection of a tab provides auser access to the object or element of the application represented bythe tab. A tab set is a group of related tabs that work as a unit toprovide application functionality. New tabs and tab sets may be definedand tab set views may be customized so that an end user can easily andconveniently switch between the various objects and application elementsrepresented by the defined tabs and tab sets. In one aspect, forexample, tabs and tab sets may be used as a means to switch betweenapplications in a multiple application environment, such as an on-demandweb-based hosted application environment.

A tab set typically includes a name, a logo, and an ordered list oftabs. A tab set is typically viewed in a graphical user interface (GUI)environment, e.g., using a browser application running on a user'scomputer system. A standard tab set definition may be provided by a hostsystem, e.g., MTS 16. Standard tab sets are pre-defined sets of tabs,e.g., imported from a source that provides a capability (e.g.,templating capability) that determines which tabs, tab sets and data atenant or user is initially provisioned with. One example of standardtab sets are provided by the salesforce.com website through itssubscription CRM service. Using these standard tab sets, users areprovided access to standard tables or entities such as Account, Contact,Lead and Opportunity entities. As another example, in the salesforce.comservice, a user can create custom entities as well as custom fields forstandard entities, and a user can create a tab set including tabsrepresenting custom entities and fields.

A user may create custom tab sets and custom tabs. Preferably onlyadministrator level users are provided with tab set creationfunctionality based on their stored permissions. Additionally, users maycustomize their view of tab sets, including the order of displayed tabsand which tabs in a tab set are displayed. To allow users toconveniently organize their tabs, each tab may appear in any and all tabsets if desired. Preferably, any user can edit tab combination andorder, but cannot rename or replace a logo; tab set naming and logoselection are preferably only administrator level functions. Forexample, administrators may create new tab sets and customize existingtab sets. For all tab sets, an administrator can specify which tabs areincluded, and the order that the tabs should be displayed. Fororganization-specific tab sets, an administrator can also specify thename and provide an optional logo. For standard tab sets provided by thehost system, e.g., tab sets provided by salesforce.com, such asSalesforce and Support force tab sets, an administrator is barred fromchanging the name or logo, nor can the administrator delete the standardtab set. Preferably, any user can fully customize their view of all thetab sets they have permission to view. The tabs a user can view (anduse) are based on the user's permission level. A profile for each tabset allows an administrator level user to set the profile levelviewability of tabs and tab sets, e.g., so that groups of users atcertain permission levels may be restricted from viewing (and using)certain tabs or tab sets, and therefore also may be restricted fromaccessing or viewing certain objects and applications referenced by therestricted tabs or tab sets.

Thus, in one aspect, a tab set can be thought of as a filter that isoverlaid on top of an existing profile-level tab visibility definition.An administrator sets the default tabs that are included in each tab setfilter, but each user can override as they like—the only thing theypreferably cannot change is the tab set name and logo. The net result isthat tab sets are quite lightweight and flexible. A particular meaningto a tab set is not enforced; each user can generally use tab sets asthey wish.

Creating and Exchanging Applications

In one embodiment, users have the ability to create, post and exchangeapplications. As used herein, in one aspect, an application is a groupor package of multi-tenant database setup data (e.g., metadata) thatdefines its data model, user interface and business logic. For example,the user may define a tab set, which logically defines the group ofmetadata that makes up an application. As used herein, a “package” is ametadata object that references the set of metadata objects used in anapplication in an organization. As used herein, an “organization” canmean a single tenant in a multi-tenant system and/or a set of metadata(both application data and metadata) for a single tenant in amulti-tenant system.

In one embodiment, the present invention refines the concept of a tabset by allowing a user to precisely define a metadata “package” whichincludes all setup data (e.g., custom object definitions, page layoutdefinitions, workflow rules, etc.) that make up an application. Apackage may include 0, 1 or more tab sets. The user can then export thispackage from one “source” organization to a “container” organizationthat is not associated with any tenant in the database system. Anexported package is registered with or listed in an applicationdirectory. A user that creates and/or exports a package will be referredto herein as a source user or exporting user. The source user can chooseto have the package name and application listed in a public portion ofthe application directory. Another user can import the package into aseparate “target” organization allowing this organization to use theapplication independently of the creating organization. A user thatviews and/or imports a package will be referred to herein as a viewinguser or importing user.

Upon selecting a package for import, code on the server system takes themetadata from the container organization, selects the appropriaterecipient organization, reads the metadata from the containerorganization, and writes that metadata into the recipient organization.Any conflicting metadata (e.g., object or field names) can be resolvedby the importing user, e.g., by aborting or by renaming recipientorganization objects, fields, etc. It should be noted that the importprocess preferably does not overwrite any existing recipientorganization fields. Also, an import user can uninstall the importedapplication.

Embodiments of the package creation process and the export and importprocesses will now be described.

Package Creation

In the source organization, a source user creates a package definitionby selecting the appropriate setup data (metadata). This defines thegroup of setup data that makes up the application. For example, thesource user may select a high level tab set (group of tabs). The systemthen automatically determines object dependencies for the metadataincluded in the package. For example, in one aspect, the systemautomatically executes a dependency finder process (e.g., a process that“spiders” through the object schema and searches for objectdependencies) to determine all related objects that are required to usefunctionality provided by the tab set. In one aspect, this is done intwo passes—first top down, then bottom up to determine all inverserelationships between objects in the system and those identified by thetab set. Additionally or alternatively, the source user may explicitlyspecify the collection of setup data to include in the package.

In one aspect, one or more of the following items (pieces of metadata)can be included in a package:

-   -   1. Tab set (this would copy everything referenced by the tab set        definition)    -   2. Custom Object        -   a. Custom fields        -   b. Relationships (master-detail and Lookup)        -   c. Picklist values,        -   d. Page layouts,        -   e. Search layouts,        -   f. Related list layouts,        -   g. Public list views,        -   h. Custom Links        -   i. Any other items associated with the custom object    -   3. Custom Tab Definition    -   4. S-control, which in one aspect is a JavaScript program that        performs custom User Interface and business logic processing. A        package creator may specify the s-control that runs on a tab or        section of a page so that when a user navigates to the tab or        page, an application server downloads the JavaScript for        execution on a browser. An API is used to save data back to the        service when necessary.    -   5. Custom Report (One Report Folder will be created for each new        app.)    -   6. Dashboard    -   7. Email Temp late    -   8. Document    -   9. Profile Packages (Including FLS for Custom Objects) (Bundles        of permission data associated with profiles, to be defined        later)    -   10. Dependent picklists    -   11. Workflow rules    -   12. Record types

Additional metadata items that may be copied may include:

-   -   1. Custom fields for Standard objects    -   2. Mail Merge Templates    -   3. Business Processes    -   4. Assignment Rules (A form of workflow)    -   5. Auto-response rules (A form of workflow)    -   6. Escalation rules (A form of workflow)    -   7. Big Deal alerts I Opportunity Reminders    -   8. Self Service Portal Settings    -   9. VLO features, which in one aspect includes definitions of        different “divisions” within a company or organization. VLO        features allow an application to partition data by divisions and        thus limit the scope of reports and list views.    -   10. Delegated Administration settings    -   11. Home Page Components

FIG. 6 shows an example of a GUI screen that allows a user to create apackage, e.g., by selecting “New” with a pointing device, as well asdelete and edit existing packages, view a history of installed packagesand access a directory from which to install a package. FIG. 7 shows anexample of a GUI screenshot showing information, including includeditems, for a created package. A user is able to edit, delete and publisha package using such a screen.

A user may select to edit a package, e.g., by deleting items or addingitems. For example, if a user selects to delete a custom object (orother metadata that is included in a package), the system detects thisand alerts the user. If the user wishes to proceed, the metadata is thenremoved from the package. The next time the user views the packageitems, the deleted items will be gone. If the package has been exported,the metadata in the exported package is not affected. This featureprovides a backup to metadata, but does not provide backup to anyrecords which might have been created, although these records can besaved using a data loader or an Excel plug-in. If a user decides to addnew items to a package, a picklist of items available for inclusion maybe provided. Any item may be included in more than one package.

When adding an application (e.g., a tab set and/or other metadata items)to a package, the system should add all custom items which are relatedto this application. This includes the custom tabs, the objects behindthe tabs, and any custom objects which are related to these. Ideally,the dependency finder process (e.g., spider process) will also detectany custom objects which are related to any standard tabs which make upthe added application as well. Even though these standard objects maynot be included in the package, the junction objects and other relatedobjects are part of the functionality embodied in the application.Certain object dependencies should always be included. For example, incertain aspects, all the custom fields on a custom object are includedwith a custom object, and all page layouts are included with a customobject. In certain aspects, custom object related list layouts (thatappear on standard objects) are automatically included as well.

Once the user has finished defining the package, the package isvalidated. This can be done automatically by the system, e.g., when auser indicates that the package is complete, or it may be doneresponsive to a user request to validate, e.g., the user selecting a“validate” or similar button on a GUI. This invokes the spideringprocess that makes sure all required setup data is included in thepackage definition. This is useful in case a user has changed metadatain the package (e.g., added a relationship, another tab or object, etc.)since metadata items were first added to the package.

In one embodiment, a package is stored in the database as a set ofprimary keys of the objects included in the package. FIG. 8 shows anexample of a Project data model definition and a Project Member datamodel definition according to one embodiment.

Package Export

After defining the package, the source user can choose to export thepackage. Exporting the package makes it available for otherorganizations to import. In one aspect, when exporting a package, thesource user is able to specify whether to allow customizations of theapplication after it has been imported into other organizations. Forexample, in certain aspects, a flag is set (by the source user) in thepackage definition to indicate whether customizations to an exportedpackage are subject to upgrade. In certain aspects, a flag is set (bythe source user) to indicate whether a particular component/object inthe package can be altered at all.

Exporting is implemented, in one aspect, by the system automaticallycreating a new organization definition, e.g., with an organization oftype “container”, that includes a copy of all items (metadata) in thepackage including dependent object metadata not explicitly included bythe export user in the package definition. In one aspect, this containerorganization shares the same physical database (e.g., Oracle database)schema as all other organizations. However, the container organizationcould reside in a different, separate database. Further, this type oforganization (org) is preferably ignored by standard expiration andbilling processes where applicable. In certain aspects, where multipledatabase instances are present in a database system environment, anexported package is stored to one of the database instances as acontainer organization. The container organization is replicated to oneor more or all of the remaining database instances. The multipledatabase instances may, for example, be associated with differentgeographical regions. For example, one database instance might beassociated with Europe (EP) and one might be associated with NorthAmerica (NA). In this manner, staggered and independent upgrading ofdatabase instances is facilitated. For example, installs of packages maycontinue as new releases/upgrades to the database system are implementedin different instances. For example, where the EP instance is upgradedbefore (e.g., one or two weeks) the NA instance, installs of package Xfor NA would happen from the NA instance, and installs of package X forEP would happen from the EP instance replicated copy of package X. Thisensures installs from like versions would occur.

When the export process completes, the source user receives a URL thatincludes a unique key of the container organization. Anyone who knowsthe URL is able to access and import the package in the identified“container” organization into their own organization, e.g., the metadataassociated with that package is copied or instantiated into the schemaassociated with that organization. The source user may send the URL toanother user at another company, or the source user may post the URL toa directory as will be described in more detail below.

Once a package is exported, the package remains open in the sourceorganization, and the source user can continue to change it. However,the copy of the package in the container organization is preferablylocked from further changes.

A source user can export the same package multiple times, creatingmultiple container organizations. This allows a source user to create aversion history of how the package changes over time.

After the source user creates and exports the package to a containerorganization, they can optionally create a second new organizationobject with organization type “demonstration”. The demonstrationorganization has its own user id(s) and password(s). Any user who knowsthe id and password can log into the demonstration organization and viewthe exported package. Once logged in, the viewing user can manuallyvalidate that the required objects are present and the application worksas expected. If the exporting user specified that sample data beincluded in the export package, a viewing user can see the sample datawhen logging into the demonstration organization or they can add theirown sample data directly into the demonstration organization. In oneaspect, the source user must create a demonstration organization fortheir package before they publish it to the public directory. Thisassures that users browsing the directory have a place to “try out” theapplication before they choose to download or import the package. Forexample, a package may include a web integration link (WIL)—it is veryuseful to examine WILs in the demonstration organization to ensure thatthe services being used by WILs are trusted.

Once a demonstration organization has been created for a package, thesource user can “publish” the package to a centralized public directory.Upon publishing, the system notifies the central directory to includethe package by sending a message to the directory service. This message,in certain aspects, contains a URL that allows users to navigate fromthe public directory back to the container organization and import it.The message, in certain aspects, also includes a URL of thedemonstration organization. This allows users browsing the publicdirectory to “try it now”—they can log into the demonstrationorganization and thoroughly inspect the functionality. In certainaspects, the message includes descriptive data about the package (e.g.,name, description, etc) and a list of objects included in the package.The directory uses this information to provide detailed information forusers browsing the directory looking for packages to import. Additionaldetails about the public directory are described below.

Package Import

To import and install a package into an organization, an import usernavigates to the URL that was generated by the package export process,either through the directory, or via a message from the source user.This URL contains a unique key that identifies a particular exportedapplication and package. The import user may have found this URL bybrowsing the public directory, or the exporting user may have simplyemailed the URL to that user. When the import user clicks on the URLthey are able to access, view and import the package.

In one aspect, installation is a multi-step process with one or moresteps performed in the installation wizard. For example, in one aspect,the steps include providing a display of the package contents for theuser to examine and confirm they want to install, configuring thesecurity for the existing profiles in the installer's organization,importing the package contents, and deploying the application to theintended users. An import user may also choose to customize any items inthe install package.

In certain aspects, some or all of the following steps may need to beperformed or may occur during the package import and install process:

Log into the recipient organization by entering a UseriD and Password.This is a user id for the recipient organization into which the packageis to be imported.

Optionally, the exporter may have password protected the package. Ifthis is the case, the import user has to enter the package passwordbefore they can import it (this is a different password than the userpassword required to log into the recipient organization).

If object names in the package conflict with setup data in the recipientorganization, the import process may fail. The import user may changethe object names on conflicting objects within the recipientorganization and restart the import process.

During the import process, the recipient organization is locked toprevent inconsistent metadata updates.

The import process checks to make sure the importing user hasappropriate organization permissions to import a package.

The import user is asked to define mappings from source organizationspecific references in the package to values appropriate for therecipient organization. For example, the import user may be prompted tospecify a user id, profile or role.

The setup data is copied into the recipient organization in a“development” mode. This allows the import user to verify that theapplication functions correctly before deploying it to users within therecipient organization.

The import process scans the package for malicious functionality. Forexample, it can check for any Web Integration Links (WILs) that may postdata to third party websites.

If specified in the package definition, the import user is unable tochange any of the setup data in the package after it is imported. Forexample, the import user cannot add or remove fields from a customobject after it is imported if specified in the package definition. Thisis implemented by the custom object edit screen functionality checkingthe package definition tables before allowing any edits to an object inthe recipient organization.

The import user can optionally “uninstall” a package. This can beimplemented because the system keeps track of which metadata objectsbelong to the package (e.g., through the package database schema).

In certain aspects, packages may be upgraded. For example, if apublisher/export user changes the source package, the import user canchoose to pull into their organization the change(s) made by thepublisher while preserving any data rows the subscriber had creatingsince first importing the package. According to certain aspect, one ormore flags may be set in the package definition to determine whether andto what extent customizations to a package may be made and upgraded. Inone aspect, a “manageable” field is provided to identify whethercustomizations to a particular object are subject to upgrade. Forexample, if the package or an object in the package is marked asmanaged, the user is allowed to customize the package or the object, andthese customizations will not be altered upon upgrading of the package.In another aspect, a “control” field is provided to identify whether anobject may be modified by the publisher and/or the subscriber. Inanother aspect, an “immutable” field is provided to identify whether anobject can or cannot be altered by anyone. For example, the source usercan set the immutable flag so that nobody is able to modify the packagesafter it has been published. An upgrade process that executes checkseach of these fields, where present, to determine the extent thatcustomizations are maintained upon upgrading.

Application Directory

The present invention also provides a central directory of applications;source users can register packages in a central directory. In oneaspect, the central directory includes a public portion that includespublished packages intended for use by anyone, and a private portionthat includes packages not intended for general use (e.g., packagesintended for use by import users as selected by the source user). Thedirectory allows other users to browse published applications and choosewhich ones they want to install into their organization. In one aspect,the central directory is organized by a category hierarchy that allowsusers to search and browse by category for the types of applicationthey're interested in. In one aspect, the directory allows users to “tryit now”—they can look at the demonstration organization containing thepackage before they install it into their organization. In anotheraspect, the directory provides an automated approval process thatassures submissions are acceptable before they appear in the publicdirectory. In another aspect, the directory includes a ratings systemthat allows (import) users of an application to vote on an application'susefulness and quality. This voting appears in the public directory forother users to see.

In certain aspects, the directory is built using JSP pages, JSTL, a JSPtag library, JSP tags, and Java classes. In one aspect, data used by thedirectory is stored in an organization object managed by one or moredirectory administrators. Source users of applications may use thedirectory to input and maintain descriptive information held in aDirectoryEntry object for each application. Directory entries have anassociated status field and only applications having a status of“published” or “public” are rendered for a visitor. A status of“preview” allows source users and directory administrators to seeresults as they will appear on the web before they become public. In oneaspect, a display of applications according to solution categories isdynamically rendered based on a category picklist of values. Anapplications is tagged with the categories to which it belongs using amultiple select picklist. A new value may be added at any time to thepicklist and category label to create a new category.

Roles and Publishing Model

Except for visitors browsing the site, almost all other uses of thedirectory site should require the user to either login or have a validsession id. These users may play different roles and may have differentpermissions to perform actions according to these roles. For example,three basic roles might include developer, publisher, and importer.

Developers should be able to hand responsibility for publishing theapplication over to another trusted person through creation of apublisher role and editing permissions. A publisher (which defaults tothe developer himself) may be granted permission to create the originaldirectory entry describing the application, modify it at a later date,add other publishers to assist, or even remove the entry from thedirectory. As used herein a source user can be either or both of adeveloper and a publisher.

The user id of the person logging into the directory is used todetermine the roles and rights the user has in regards to eachapplication. Users should have no real access to the organization inwhich the directory is kept. User id's are, however, used to uniquelyidentify users and to retrieve information from their own organizationswhen necessary.

A developer is an original creator of the application and its packagethrough a setup wizard. One (optional) step in the wizard is to submitthe application for publication in the Directory. There, the developer,may either enter information himself or designate others to serve as thepublisher and maintainer of the directory entry. A publisher of a givendirectory entry is a user who is responsible for entering andmaintaining descriptive information about the application in thedirectory. Each application's directory entry has an assigned set ofpublishers along with permissions granted by the original submitter.These permissions give rights to edit fields, change status, remove theapplication from the directory or even add others as publishers (e.g.,with the same or lesser permissions). An importer is any import user,e.g., system administrator of an organization or tenant, who hasinitiated the import process of an application for deployment in theirown organization. During the import process, a record is created in thedatabase system showing what organizations have which applicationsimported and by whom. This may be used to show how popular anapplication is and if it is desirable, to restrict comments and ratingsto only those users of organizations that have the applicationinstalled. Individuals may participate in multiple roles at differenttimes; i.e., a user may be a developer of one application and an importuser for another.

Review of Directory Information

Publishers create an application's directory entry, input associatedinformation such as a description, thumbnail, screenshots, and otherinformation. Prior to becoming public, a publisher may preview thisinformation at any time. When the information is ready to be madepublicly available for viewing, the publisher changes the state to“submitted”. In one aspect, this initiates a review of the applicationby a directory administrator, who may request further information, etc.Once the application has completed review, the directory administratorchanges its state to “public”. This makes the application available forpublic viewing within the directory. Depending upon the businessprocess, the public state may also lock out any further changes bypublishers. In this case, should the publisher need to update thedirectory entry after being made public, a request could be filed withthe directory administrator to remove the entry from public view, e.g.,by changing the state back to new. If it is desirable to allowpublishers to modify entries without requesting permission to change andanother round of review, a Modified flag in the directory entry can beused to simply indicate that a public entry has been changed.

Reputation Management Through User Ratings and Comments

In one aspect, to give visitors an idea of what others think about eachapplication, viewing users may assign a rating to the application andprovide personal reviews in the form of comments. In one aspect, onlyusers of organizations that have actually installed the application mayprovide comments and/or ratings. This entitlement could be deduced, forexample, by looking at the import records created by systemadministrators who initiated the application installation.

To keep ratings an honest reflection of how the community rates theapplication, however, it may be necessary to provide some protectionfrom users gaming the system by making multiple postings. In any case,users may want to change their rating of an application from what theyinitially rated. In one aspect, this is accomplished by treating theratings system as one would voting; each user casts a vote for one offive possible star ratings associated with the application and eachapplication keeps a tally of the votes for each of the possible ratings.It then becomes trivial to determine the average rating for eachapplication and also yield a more informative histogram of the votes.Users may change their vote at any time, but no matter how many timesthey make a rating, they only get to vote once per application. A recordis kept for each user of their current rating for applications that theyhave rated or commented on.

Directory Data Model

FIG. 3 shows a data model for a Directory of applications according toone embodiment. As shown, the Directory data model according to thisembodiment includes five main objects: DirectoryEntry, CategoryPage,Publisher, Import and UserReview. It should be appreciated that fewer ormore objects may be used.

The DirectoryEntry object holds information pertaining to eachindividual application submitted for publication. Information is writtento this table by the web site during application submission ormodification and may be reviewed and modified by the appropriateinternal directory support personnel. FIG. 4 shows a definition of aDirectoryEntry object and other objects according to one embodiment.

Associated with each entry in the DirectoryEntry object is a statusfield indicating the status of the directory record. The values allowcoupling the external input and editing functions with an internalprocess of review and preview. Status values might include:

-   -   New: first created with only minimal information    -   Submitted: entry ready for internal review before publishing    -   Preview: allows internal site provider personnel to preview        information in the context of the site    -   Public: publishable, ready for public viewing    -   Inactive: no longer visible in the directory (deleted)        When the state is changed to Public, the developer and other        publishers for the application are notified, e.g., by e-mail,        and a publish date field or variable is set.

According to one aspect, each entry is associated with a multi-selectpicklist field representing the solution categories under which theapplication will be listed. The directory dynamically adapts tocategories so they may be added at any time. For readability, in oneaspect, the picklist values encode the category and/or subcategory intoeach name.

The total user votes for a rating, e.g., 1-5 stars, are stored in fieldsfrom which the average can be computed. Also, the system can determineand display the ratings for each 10 application, e.g., count how manyapplications were rated 1-star, 2-star, etc.

The CategoryPage object is used to form the category hierarchy drivingthe Directory's dynamic generation of category pages. This object alsoholds a title for the page along and a list of several applications todisplay as featured selections on the page.

The Publisher object holds the user id of a user (e.g., source user)responsible for creating and maintaining the application's directoryentry along with their editing permissions. Examples of permissionlevels include:

-   -   Edit: grants someone the right to edit the modifiable fields in        the Directory Entry    -   Delete: grants the user the right to delete the DirectoryEntry    -   AddUser: grants the user the right to add additional users with        the same or more restrictive rights.        In one aspect, permission ordering from most-to-least is Delete,        AddUser, Edit.

The Import object acts as a record of what imports have been initiatedof an application into any particular organization. This object holdsids of the DirectoryEntry (or package id), the system administratorimporting the application, the organization affiliation of the systemadministrator, and the date of import. This object allows ranking ofapplications based on the number of imports and can be used, ifdesirable, to limit users to commenting and rating only on thoseapplications that have been imported in their own organizations.

The UserReview object holds comments and ratings made by a specifieduser of a particular application entry. Restrictions may be imposed onwho can add comments and rate applications such as only allowingauthenticated users or even restricting only to those users inorganizations that have imported the application. An implementation neednot have any such restriction.

Implementing Categories Using CategoryPage Objects

A useful user requirement on the Directory is to be able to see a listof applications by solution category. Any application may appear in anynumber of categories and categories are preferably nested. Additionally,to allow other views of the data, such as by business size or marketsegment, it is desirable to be list applications accord to differentcategorization schemes.

According to one aspect, categories are assigned as the application oftags (out of a multi-select picklist) to each application entry. A userworking on preparing the directory entry for an application is presentedwith the current categorization scheme in the form of a set of checkboxes to indicate which categories apply to the application. The systemwill assign the necessary picklist values to the application's directoryentry.

To make it easy for a directory administrator to manually make entriesand run reports showing which applications are in which categories, inone aspect, each application entry contains a category field containinga multi-select picklist of available categories. For readability,picklist values representing a subcategory should show the path tosubcategory, i.e., “Consumer+Games” value would imply the applicationexists in the subcategory Games under the Consumer category. Multiplevalues place the application into multiple categories.

Because categories and their hierarchies are created for the purpose ofgenerating category pages, the hierarchical representation of aparticular category hierarchy uses a set of CategoryPage objects. In oneaspect, a CategoryPage object exists for each category and/orsubcategory available. CategoryPage objects are linked together to forma tree through fields specifying the node's own category and thecategory of its parent node. Root nodes, are indicated by CategoryPageswhich have no parent. (See, e.g., FIG. 5 ). Tree traversal isaccomplished by query. For example, to find the labels of top levelcategories of a particular hierarchy, called All-Solutions, a querymight look like:

-   -   select Label from CategoryPage_c where        ParentNode_c=All-Solutions'.

In one aspect, display nodes also carry additional information used byJSP pages rendering the list of applications falling into the specifiedcategory. This additional information includes a field for maintaining acount of associated applications, page title label, page body text, andapplications to feature on the page.

In summary, directory supported user functions might include:

-   -   For visitors (viewing and importing users):        -   View application list filtered and sorted by business area            (category), author, date submitted, rating, or other            criteria        -   View full application description (detail page)        -   View full application specification/profile (such as # of            objects, object names, web integration links (WILs), etc.)        -   View aggregated user ratings of applications        -   View “highlighted” applications according to business area            or overall        -   View top ranked applications        -   View most popular applications        -   Submit/change their rating of individual applications            (optional restriction)        -   Post comments associated with individual applications            (optional restriction)        -   Try out application in app-specific demonstration            organization        -   Import application to their own organization    -   For developers (export users):        -   View application packages that the developer developed        -   Submit application for publication along with associated            descriptive information.        -   Remove applications from the directory        -   Edit/update application descriptions        -   Receive email notification when application has been            approved by provider review        -   Delegate responsibility over the management and publication            of the application to other users        -   Upload images, pdfs, and other documents associated with the            application as attachments to the DirectoryEntry

Miscellaneous

In one alternate embodiment, rather than using a new type oforganization (e.g., container organization) in the database schema tostore an exported package, exported packages are implemented as binarylarge objects in the database (e.g., Oracle db) or as text or binarydata stored in a flat file format. However, upgrade scripts may not workwell against flat files. Therefore, in one embodiment, a package isimplemented as a separate “hidden” organization within the databasesystem (e.g., salesforce.com service). This advantageously allowsrelease upgrade scripts to upgrade these exported organizations.

In one aspect, storing a foreign key to the unique package id on allsetup data included in the package is performed instead of storing apackage table including the primary keys of all objects in the package.However, the package table approach is preferred as it makes it moreefficient to quickly determine which objects were included in thepackage at runtime. It may be desirable to determine which objects wereincluded in the package at runtime to differentiate between installedpackages from the base system or from each other. For example, in thecustom object edit screens, custom objects that were imported as readonly cannot be modified while all other custom objects (not imported)can be modified.

While the invention has been described by way of example and in terms ofthe specific embodiments, it is to be understood that the invention isnot limited to the disclosed embodiments. To the contrary, it isintended to cover various modifications and similar arrangements aswould be apparent to those skilled in the art. Therefore, the scope ofthe appended claims should be accorded the broadest interpretation so asto encompass all such modifications and similar arrangements.

What is claimed is:
 1. A computer-implemented method of installing andcustomizing an application published in an application directory of amulti-tenant system, the application created by a source organization inthe multi-tenant system, the method including: receiving a request froma user of a recipient organization in the multi-tenant system to installthe application from the application directory; installing theapplication for the recipient organization responsive to receiving therequest to install the application; customizing the application for therecipient organization; and deploying the customized application for therecipient organization to make the customized application accessible tousers of the recipient organization.
 2. The computer-implemented methodof claim 1, further comprising: receiving a request from the user of therecipient organization to uninstall the application; and uninstallingthe application for the recipient organization responsive to receivingthe request to uninstall the application.
 3. The computer-implementedmethod of claim 1, further comprising: scanning the application formalicious functionality.
 4. The computer-implemented method of claim 1,wherein the application is password-protected such that the user of therecipient organization must enter a correct password to install theapplication for the recipient organization.
 5. The computer-implementedmethod of claim 1, further comprising: detecting a conflict betweenobjects of the application and objects of the recipient organization;and presenting an interface that allows the user of the recipientorganization to resolve the conflict.
 6. The computer-implemented methodof claim 1, further comprising: presenting an interface that allows theuser of the recipient organization to define mappings from references inthe application that are specific to the source organization to valuesthat are appropriate for the recipient organization.
 7. Thecomputer-implemented method of claim 1, further comprising: upgradingthe application for the recipient organization in response to adetermination that the source organization has updated the application.8. The computer-implemented method of claim 7, wherein the upgradingincludes determining a value of a manageable field for an object of theapplication, determining a value of a control field for the object, ordetermining a value of an immutable field for the object, wherein themanageable field for the object is used to indicate whethercustomizations to the object are subject to upgrade, wherein the controlfield for the object is used to indicate whether the object may bemodified by a publisher or subscriber, and the immutable field for theobject is used to indicate whether the object may be modified at all. 9.The computer-implemented method of claim 1, further comprising:determining whether the user of the recipient organization hasorganizational permission to install and customize the application forthe recipient organization.
 10. A computer system to execute a method ofinstalling and customizing an application published in an applicationdirectory of a multi-tenant system, the application created by a sourceorganization in the multi-tenant system, the computer system comprising:one or more processors; and a non-transitory computer-readable mediumhaving stored therein computer instructions, that when executed by theone or more processors, causes the computer system to: receive a requestfrom a user of a recipient organization in the multi-tenant system toinstall the application from the application directory, install theapplication for the recipient organization responsive to receiving therequest to install the application, customize the application for therecipient organization, and deploy the customized application for therecipient organization to make the customized application accessible tousers of the recipient organization.
 11. The computer system of claim10, wherein the instructions, when executed by the one or moreprocessors, further causes the computer system to: receive a requestfrom the user of the recipient organization to uninstall the applicationand uninstall the application for the recipient organization responsiveto receiving the request to uninstall the application.
 12. The computersystem of claim 10, wherein the instructions, when executed by the oneor more processors, further causes the computer system to: detect aconflict between objects of the application and objects of the recipientorganization and present an interface that allows the user of therecipient organization to resolve the conflict.
 13. The computer systemof claim 10, wherein the instructions, when executed by the one or moreprocessors, further causes the computer system to: present an interfacethat allows the user of the recipient organization to define mappingsfrom references in the application that are specific to the sourceorganization to values that are appropriate for the recipientorganization.
 14. The computer system of claim 10, wherein theinstructions, when executed by the one or more processors, furthercauses the computer system to: upgrade the application for the recipientorganization in response to a determination that the source organizationhas updated the application.
 15. The computer system of claim 14,wherein the upgrading includes determining a value of a manageable fieldfor an object of the application, determining a value of a control fieldfor the object, or determining a value of an immutable field for theobject, wherein the manageable field for the object is used to indicatewhether customizations to the object are subject to upgrade, wherein thecontrol field for the object is used to indicate whether the object maybe modified by a publisher or subscriber, and the immutable field forthe object is used to indicate whether the object may be modified atall.
 16. A non-transitory computer-readable storage medium having storedtherein a set of instructions, the set of instructions, when executed byone or more processors of a computer system causes the computer systemto perform a set of operations for installing and customizing anapplication published in an application directory of a multi-tenantsystem, the application created by a source organization in themulti-tenant system, the set of operation comprising: receiving arequest from a user of a recipient organization in the multi-tenantsystem to install the application from the application directory;installing the application for the recipient organization responsive toreceiving the request to install the application; customizing theapplication based for the recipient organization; and deploying theapplication for the recipient organization to make the customizedapplication accessible to users of the recipient organization.
 17. Thenon-transitory computer-readable storage medium of claim 16 havingfurther instructions stored therein, which when executed by the one ormore processors, causes additional operations to be performed by thecomputer system, the additional operations comprising: receiving arequest from the user of the recipient organization to uninstall theapplication; and uninstalling the application for the recipientorganization responsive to receiving the request to uninstall theapplication.
 18. The non-transitory computer-readable storage medium ofclaim 16 having further instructions stored therein, which when executedby the one or more processors, causes additional operations to beperformed by the computer system, the additional operations comprising:detecting a conflict between objects of the application and objects ofthe recipient organization; and presenting an interface that allows theuser of the recipient organization to resolve the conflict prior to theapplication being installed.
 19. The non-transitory computer-readablestorage medium of claim 16 having further instructions stored therein,which when executed by the one or more processors, causes additionaloperations to be performed by the computer system, the additionaloperations comprising: presenting an interface that allows the user ofthe recipient organization to define mappings from references in theapplication that are specific to the source organization to values thatare appropriate for the recipient organization.
 20. The non-transitorycomputer-readable storage medium of claim 16 having further instructionsstored therein, which when executed by the one or more processors,causes additional operations to be performed by the computer system, theadditional operations comprising: upgrading the application for therecipient organization in response to a determination that the sourceorganization has updated the application.